80 lines
1.9 KiB
Markdown
80 lines
1.9 KiB
Markdown
# Setup
|
|
|
|
## Install
|
|
|
|
Start by installing Go and Git. On Debian, run:
|
|
|
|
```
|
|
apt install golang git
|
|
```
|
|
|
|
Then fetch and build the program:
|
|
|
|
```
|
|
go get tildegit.org/nervuri/client-hello-mirror
|
|
```
|
|
|
|
The resulting binary should now be at `~/go/bin/client-hello-mirror`. You can make it available to all users on the system:
|
|
|
|
```
|
|
ln -s ~/go/bin/client-hello-mirror /usr/local/bin/
|
|
```
|
|
|
|
## Run
|
|
|
|
Generate TLS certificate:
|
|
|
|
```
|
|
# CA-signed:
|
|
certbot certonly --webroot -w /var/www/example.com -d example.com
|
|
# or self-signed:
|
|
openssl req -new -subj "/CN=example.com" -x509 -days 36500 -nodes -out cert.pem -keyout privkey.pem
|
|
```
|
|
|
|
Run on port 1965:
|
|
|
|
```
|
|
~/go/bin/client-hello-mirror -c cert.pem -k privkey.pem :1965
|
|
```
|
|
|
|
## Daemonize
|
|
|
|
In order to run the program as a daemon and auto-start it on boot, you need to manage it with your operating system's init system. Here you'll find instructions for systemd.
|
|
|
|
Sample systemd unit file:
|
|
|
|
```
|
|
[Unit]
|
|
Description=TLS Client Hello Mirror
|
|
After=network.target
|
|
|
|
[Service]
|
|
Type=simple
|
|
Restart=always
|
|
ExecStart=client-hello-mirror -u www-data -c /etc/letsencrypt/live/example.org/fullchain.pem -k /etc/letsencrypt/live/example.org/privkey.pem :443 2>/var/log/client-hello-mirror-error.log
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
```
|
|
|
|
Modify as needed, save to `/etc/systemd/system/client-hello-mirror.service` and run:
|
|
|
|
```
|
|
systemctl enable client-hello-mirror.service
|
|
systemctl start client-hello-mirror.service
|
|
```
|
|
|
|
## Drop root
|
|
|
|
A standard web-facing setup involves using a CA-signed certificate and binding to privileged port 443. For security reasons, the program will drop root privileges imediately after loading the certificate and binding to the specified port. Use the `-u` option to select a user to switch to. If you really want to run as root, set `-u root` (not recommended).
|
|
|
|
## Redirect http:// to https://
|
|
|
|
For this you'll need to use another web server, such as nginx.
|
|
|
|
## Update
|
|
|
|
```
|
|
go get -u tildegit.org/nervuri/client-hello-mirror
|
|
```
|